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Abstract — In a point-to-point communication system which 
consists of a sender s, a receiver t and a set of noiseless 
channels, the sender s wants to transmit a private message to 
the receiver t through the channels which may be eavesdropped 
by a wiretapper. The wiretapper can access any one but not 
more than one set of channels. It is assumed that from each 
wiretap set, the wiretapper can obtain some partial information 
about the private message which is measured by the wiretapper's 
equivocation. The security strategy is to encode the message with 
some random key. Under these settings, we define an achievable 
rate tuple in terms of the message, the key and the wiretapper's 
equivocation and prove a tight rate region of the rate tuples. 

Index terms. Imperfect secrecy, wiretap channel, secret shar- 
ing. 

I. Introduction 

Information-theoretic security was launched by Shannon in 
his seminal paper |7|, in which a sender wants to transmit a 
private message to a receiver with the existence of a wire- 
tapper. This model, referred to as the Shannon cipher system, 
requires that the wiretapper can obtain no information of the 
message. In this paper, we will refer to it as perfect security for 
ease of discussion. In order to protect the message, the sender 
encodes the message with a random key which is shared with 
the receiver a prior but unknown to the wiretapper. The sender 
transmits the encrypted message in a public channel to the 
receiver and the receiver can recover the message by the key 
and encrypted message. For the wiretapper, it can still obtain 
no information about the private message without the key. The 
conclusion, known as the perfect secrecy theorem, is that the 
the size of the key should be not less than the size of the 
message if perfect security is required. A recent result by Ho 
et al. in [4| showed an even stronger bound: in the Shannon 
cipher system, the size of the key is lower bounded by the 
logarithm of the cardinality of the message alphabet. 

The Shannon cipher system was generalized to secret shar- 
ing by Blakley HI and Shamir ||6l. Ozarow and Wyner |5i| 
also studied a similar problem which they called the wiretap 
channel II. In this model, information is sent to the receiver 
through a set of point-to-point channels. It is assumed that 
the wiretapper can access any one but not more than one set 
of channels, called a wiretap set, out of a collection A of all 
possible wiretap sets, where A is specified by the problem 
under consideration. In f5"|, .4 consists of all the subsets of 
the channel set with size r. The strategy to protect the private 
message is the same as that in the Shannon cipher system. 
Specifically, they proved a lower bound on the size of the key 



which can be attained by a group code. This result is further 
generalized in Cheng and Yeung |3| for an arbitrary A. They 
proved a lower bound on the size of the key and showed that 
it can be achieved by a linear code. 

Imperfect secrecy was independently studied in Yamamoto 
im and Yeung ifTol (p. 116). The communication model in 
fTol is the same as the model described in the Shannon 
cipher system, except that the wiretapper can obtain a partial 
information about the message, which is measured by the 
mutual information between the message and the symbols 
obtained by the wiretapper. The imperfect secrecy theorem 
states that this mutual information is lower bounded by the 
difference between the size of the message and the size of 
the key. In [9), Yamamoto studied source coding problems for 
Shannon cipher system with correlated source outputs {X, Y) 
by considering several situations such that both X and Y, only 
X, or only Y must be transmitted to the receiver, or both 
X and Y , only X, or only Y must be kept secret from the 
wiretapper The admissible region of the cryptogram rate and 
the key rate for a given security level is derived for each case. 
A result equivalent to the perfect secrecy theorem is proved 
in the converse part. When imperfect security is considered 
in a wiretap network Q = (V, £), where V is the set of nodes 
and £ is the set of channels, Cai and Yeung in |2| proved 
two tight bounds on the minimum length of the key and the 
maximum length of the message, provided that the collection 
A of all the possible wiretap sets consists of all the subsets of 
£ with size r and the information leakage about the message 
in each wiretap set is at most i log q, where i is a fixed integer 
satisfying < i < r and q is the size of the alphabet. 

Xu and Chen in [8| studied how to communicate securely 
over a network in which each channel may be noisy or noise- 
less. Their model is a single-source single-sink acyclic planar 
network without network coding and the communication be- 
tween the source and the sink is subject to non-cooperative 
eavesdropping on each Unk, namely A consists of all the 
subsets of the channel set with a singe channel. From each 
wiretap set in A, the wiretapper can obtain partial information 
about the message, which is measured by the wiretapper's 
equivocation. They defined an achievable rate tuple including 
the message rate, the key rate and the equivocation rate for 
each wiretap set. They proved sufficient conditions in terms 
of the communication rates and the network parameters for 
provably secure communication, along with an intuitive and 
efficient coding scheme. Furthermore, the derived achievable 
rate region is tight for several special cases. In the following. 



we refer to this model as the non-cooperative imperfect secrecy 
system. 

In this work, we define a security model which generalizes 
the model in fS). The communication model is the same as 
that in f5\. The main difference here is that in our model A 
is arbitrary and from each wiretap set in A, the wiretapper 
can obtain some information about the message. On the other 
hand, our model subsumes the noiseless part of the model in 
111, since the communication in a single-source single-sink 
network without network coding can be simplified as a point- 
to-point system. We also define an achievable rate tuple similar 
to that in |8J and a tight rate region is proved under these 
settings. 

The rest of the paper is organized as follows. First, we give 
the problem formulation and introduce some related results in 
Section II. Then we present our main result on the rate region 
in Section III including the converse and the achievability. At 
last, we conclude in Section IV. 

II. Problem Formulation and Related Result 

A. Problem Formulation 

The communication model in our problem is described as 
follows: 

• The communication is between a transmitter s and a 
receiver t, which are connected by a set of point-to- 
point noiseless channels. Let E = {ei, 62, e^} be 
the set of channels and h = \8\. For each channel e^, 
1 < i < h, the channel capacity is d log g, where d is 
an integer Hence, Ci symbols from a common alphabet 
F are transmitted on each time. Denote the symbols 
transmitted on e; by Y^- and q= 

• The message M is generated at the transmitter s accord- 
ing to a uniform distribution on the message set M. The 
key K, also generated at the transmitter s, takes value in 
an alphabet /C according to the uniform distribution, and 
is independent of M. The transmitter needs to send the 
encrypted message to the receiver and the receiver needs 
to recover both the message and the key. The rates of the 
message and the key are defined as follows. 
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Let A be the set of wiretap sets and d — \A\. For the 
wiretapper, it can access at most one wiretap set in A. 
For each wiretap set 7^, 1 < i < rf, let Yj. be the symbols 
transmitted in 7^. It is required that the wiretapper's 
equivocation H{M\Yi.) is lower bounded by a given 
constant Ri log q, namely 



R, < 



H{M\Yi^ 
\ogq 



(3) 



Definition 1. The encoder is a function f such that f : 
M X IC Ut^iJ^^'- The decoder is a function g such 
that g : Y[i=i -^^^ M x K.. The corresponding rate tuple 
{Rm 1 Rk , Ri:i<i<d) is an achievable rate tuple if go f is the 
identity function and Q holds for all i = 1,2, d. 

The rate region TZ is defined as the set of all achievable 
rate tuples {Rm, Rk, Ri:i<i<d)- In the sequel, we refer to 
this model as a cooperative imperfect secrecy system. 

Next, we define the achievable rate tuple by a block code 
in terms of M, K and Yj.,1 < i < d. 

Definition 2. A rate tuple of {Rm , Rk , Ri:i<i<d) is achiev- 
able by block codes if there exists a sequence of {Mn,Kn) 
such that 

1 log|A^„|. 
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The achievable rate tuple is defined as follows. 



Rk ~ lim — — 

n^oo n log q 

R.< Uminfiffi^lfe^,l<z<rf: (6) 

ri-i-oo n log q 

where Af„ G A^„ C M'\ A'„ G /C„ C /C", and Yi^^„ e r\ 

In the sequel, we assume that the base of the logarithm in 
the entropy quantities {e.g.,H{X),I{X\Y)) is q. Then the 
factor can be omitted in ([T])-®. 

B. Related Result 

1) Perfect and Imperfect Secrecy: The perfect secrecy 
theorem in Q is stated as follows. 

Tfieorem 1 (Perfect Secrecy Theorem). Let X be the plain 
text, Y be the cipher text, and K be the key in a secret key 
cryptosystem. If perfect secrecy is achieved, i.e., I{X; Y) = 0, 
then 

H{K) > H{X). (7) 

In the wiretap network model Q, the following result 
similar to the perfect secrecy theorem was proved. 

Tfieorem 2. /« a wiretap network, let K be the key and Yj 

be the symbols transmitted in wiretap set I. Then 

H{K) > H{Yi). (8) 

As a generalization of the perfect secrecy theorem, the 
imperfect secrecy theorem in ifTOl (p. 116) is stated below. 

Tfieorem 3 (Imperfect Secrecy Theorem). Let X be the plain 
text, Y be the cipher text, and K be the key in a secret key 
cryptosystem. Then 

I{X-Y)>H{X)-H{K). (9) 

In the above theorem, if I{X;Y) ~ 0, then (|9]) becomes 
(|7|i, i.e., the theorem reduces to the perfect secrecy theorem. 
In |9J, it was proved that for any secret key cryptosystem, 

H{K) > H{X\Y), (10) 

which is equivalent to (|9]). 

'This theorem can be found in Appendix A, Equation (27) of (2). 



2} Secure Coding over Networks: The system model in |8 | 
is a single-source single-sink directed acyclic network with the 
assumption that each wiretapper can access only one channel 
and there is no network coding in the network. Each channel 
in the network may be noisy or noiseless. 

When all the channels in the network are noiseless, the 
network can be simplified as a point-to-point communication 
system, in which each channel is a path from the source node 
to the destination node in the original network and the set of 
wiretap sets A is arbitrary. Hence our model subsumes the 
non-cooperative model for this special case. 

In 1 8 1, an achievable rate region of rate tuples was obtained 
for noisy channels, and the region was shown to be tight for 
several special cases. Based on the achievable rate region, they 
also gave an algorithm for constructing a secure code on the 
network. 

The achievable rate region for noiseless channels is stated 
below. 

Theorem 4 (Theorem 2, |8 |). A rate tuple {R]\i , Rk , Re) , 
e € £, is achievable, if there exist auxiliary numbers such 
that 

< re < Rm + Rk; 
0<Re< Rm; 

< Rm + Rk < min / r^; 

Cut ^ — ^ 

Re < Rm + Rk — fe ■ 

In the above, i?e and Ce correspond to Ri and Ci in our 
formulation; Ecut is the set of channels across a given cut 

Cut. 

III. Rate Region of the Rate Tuple 

The main result of this paper is a characterization of the 
rate region Tl given by the following theorem. 

Theorem 5. A rate tuple {Rm, Rk, Ri:i<i<d) is in TZ if and 
only if 

h 

i?M = ^r, (11) 

1=1 

Rm >Ri, 1 < i < d; (12) 
i?i > 0, l<i<d- (13) 
Rk > 0; (14) 

where r[s satisfy 

< < Ci, l<i<h; (15) 

^ n <Rk + Rm -Rj, l<j<d. (16) 

ei^Ij 



A. Converse 

In this section, we prove that if {Rm , Rk , Ri:i<i<d) G Ti, 
then the constraints (fTTT l-dTSIl hold. The constraints ( fT3] l and 
(fT4l) are obvious. 

We first prove the constraint (fT2l i. By the constraint ([3]), 

Rt < H{M\Yi^) < H{M) = Rm- (17) 

Hence the constraints (fT2l)-(fT4l) hold. 
Let's consider an equivalent condition of constraint (O. For 
all 1 < i < d, let 

c, = Rm - R^ - H{M) - R,. (18) 

The constraint ((Sj is equivalent to 

I{Yir^M)<H{M)-R,. 

Namely 

0</(F/.;Af) <c,. (19) 

By dnli and ([T8]l, 

< c, < Rm. 

Next, we prove a lemma which generalizes Theorem |2] 

Lemma 1. In a cooperative imperfect secrecy system, let 
M be the message, K be the key and Yj be the symbols 
transmitted in wiretap set I. Then 

I{Yr,M)>H{Yi)-H{K). (20) 

Proof: Since I{M;K) = and H{Yi\M,K) = 0, 

I{Yr,M)^H{Yi)-H{Yi\M) 

> H{Yi) -H{M,K\M) 
= H{Yi) - H{K\M) 
= H{Yi)-H{K). 

■ 

In the next theorem, we prove the constraints ( fTTT i. ( fTSl l. and 
CSll. 

Lemma 2. Any tuple {Rm, Rk, Ri:i<i<d) G TZ satisfies 

h 

Rm — ^ fi — Rk, 

where r[s satisfy 

Q<ri<Ci, I <i<h; 

^ < Rk + Rm ^ Rj, I < j < d. 

Proof: By Lemma [T] and the inequality ( fT9] l. for each 
wiretap set li, 

H{YiJ-H{K)<I{Yjr,M)<c,. 

Namely, 

H{YiJ < H{K) + c, = Rk + 
For each channel Ci, 1 < i < h, 

H{Y,^)<Q. 



Since y(e;:i<i</i) is a function of (M, K) and (Af, K) can be 
recovered by Y^ev.i<t<h), 

H{Y(^e...i<,<h)) = H{M, K) = H{M) + H{K). (21) 

Hence, 

H{M) = H{Yf^,^,^<,<t,)) ^ H{K), 
which is equivalent to 

Rm — H{Y(^f,i:i<i<h)) ~ Rk- 
For 1 < i < /i, let 

= /7(reJF(,,,e„...,e,_,))- 

Then for all Ij, 1 < j < d, 

< -ff(>"eJy(e,:e,G/,,^<^))■ 

Furthermore 

^A/ = HiY(e,:i<i<h)) - Rk 

h 

= ^i?(ye.ly(e„e.,...,e._,))-^if 

1=1 
/i 

= ^''i - 

1=1 

< < < C,; 

< i?A' + Cj = Rk + Rm - RjA < j < d, 
which completes the proof. ■ 

B. Achievability 

In this section, we prove that {Rm, Rk, Ri:i<i<d) E TZ if 
there exists (ri,r2, ■■■,rfi) such that the constraints (fTTTl-lfTSIl 
are satisfied. 

In the following, a special code in which the symbols sent on 
the channels are mutually independent is studied. We design a 
block code with length n as follows. The sender generates M 
and K at rates Rm and Rk, respectively, and sends symbols 
on each channel (1 < i < /i) at rate r^. Next, we prove that 
the tuple {R]\i, Rk, Ri:i<i<d) can be attained by a linear 
code. 

Let the symbols on channel Ci (1 < i < h) he Xi. [xj is 
the floor function. Let 





[ncjj ; 




(22) 


c[ = 


[na\; 




(23) 


riM = 


[uRmI 


= [nHiM)\; 


(24) 


UK = 


[uRk] 


= lnH{K)\; 


(25) 


Hi = 


[nnl = 


lnH{X,)\, l<i<h. 


(26) 



Thus, by (fTTT i. (fTsl l. and (fT6] l. um, tlk, and (ni, ^2, n/j) 
satisfy that 

h 

nM^^rii-riK; (27) 
1=1 

< < C^, 1 < i < /i; (28) 
^ < + c^, 1 < i < d. (29) 

Usually, there may be rounding errors in (l27Ti-(|29]l. Since real 
numbers can be approximated by rational numbers, we can 
assume that the variables in (|22] |-(|26]|. i.e., Ci,RM,RK, and 
< i < h, are rational numbers. There exist infinitely 
many n such that nci,nCi,nRM ,nRK , and nr^,! < i < h, 
are integer numbers. Hence, the rounding errors can be omitted 
here. 

When n oo, 

( — , — , — ) {ri,r2, ■■■,rh); 
n n n 

h ^ 

y > Rm + Rk- 

i=l 

Hence, when ti — > cx), ( — , — , — ) and (ri, r2, r/,,) are 
equivalent. 

For a matrix A, we write the number of rows and columns 
of A as row(A) and col{A), respectively. The following two 
lemmas are instrumental in the subsequent proofs. 

Lemma 3. Let Fq be a finite field of size q. A, B be given 
matrices and (A, B) be the concatenated matrix of A and B. 
Let Y = AM + BK, where rank(A, B) = row(A, B). If M 
and K are uniformly distributed on F™ and F^, respectively, 
and I{M; K) = 0, then 

I{Y- M) = rank(A, B) - rank(B). 

Proof: 

I(Y; M) = H{Y) - H{Y\M) 

= H{Y) - H{AM + BK\M) 

= H{Y) - H{BK\M) 

= H{Y) - H{BK) 

= rank(A, B) - rank(i?). 

■ 

Lemma 4 (Lemma 3, fT\). Let Vi, V2, Vm be vector 
subspaces in F^, and dim(\^) = di (1 < i < m). If d > 
and d + di < n(l < i < m), then for q > m, there 
exists a vector subspace V of F^, such that dim(y) = d 
and dim(T/0 14) = dimiV) + dimiV^) {1 < i < m). 

The remaining of this paper is largely about the following 
theorem. 

Theorem 6. When q > |^| is a prime power, if the integer 
tuple (ni, n2, rih) satisfies i27\l - i29\l , then there exists a 
linear code such that H{M^) = um ond H{K"') = uk- 



Proof: The code can be constructed as follows: 
Let the finite field Fq be the common alphabet of M and 
K and the common alphabet of all the channels F = Fq. The 
symbols transmitted on channel Ci (1 < i < /i) is taken from 
FJ^\ which means there are rii symbols from Fq transmitted 
on Ci. Let xi, X2, Xum+uk be all the symbols to send, 
where the first rii symbols are sent on ei, the next n2 symbols 
are sent on 62, and the last rih symbols are sent on e/,. We 
construct x^'s according to their positions in the sequence. 

Generate uk mutually independent symbols K — 
(fci , ^2, fcnjf ) from Fq. Transmit K at the first riK positions, 
i.e., 1, 2, n^f. Namely, 

Xi — ki, \ < i < riK- 

h 

Generate nM{— ~ mutually independent mes- 

1=1 

sage symbols (mi, m2, ran^.,) from Fq. For the remaining 
um positions in {e,; : 1 < i < h), transmit the encrypted 
message by the encoding function: 



biK, TiK + 1 < j < riK 



(30) 



where bi € Fq'^ is a row vector to be determined in the 
following steps. 

We need to construct {bi : uk + 1 < i < riK + nj^j} such 
that: 

(a) These nx+nM symbols are mutually independent, which 
is equivalent to that both M and K can be recovered at 
node t. 

From the previous discussions, we can see that receiver t 
can recover K from the symbols in the first uk positions 
and by equation dSOl l. M can be also recovered by 

mi-UK = ^'i - ^4-^7 riK + \ <i <nK ^nu- 

Hence, the required condition is satisfied. 

(b) The constraint ( fT9T l (which is equivalent to Q) should 
hold for all the wiretap sets. 

For {xx,Xi, ...,2;„M+nir}' 



X\ 
X2 



V 



B 



K" 



where 



( ° 


IriKX-nK \ 








V 





A B 



In the above, is an uk x um zero matrix and Iukxtik 
is an riK x uk identity matrix. Recall that the symbols 
obtained in wiretap set li = {e^^, e^^, ei|j.| } are Yj., 
1 < i < d. Then 



where A/, and i?/. are the corresponding sub-matrices 
of A and B, respectively. Consequently, we turn to a 
sufficient condition of fe^'s for the constraint ( fT9] l. Since 
xi,X2T.-,XnM+nK mutually independent, 

rank(A/^ ,Bi^) = row(A/, ,Bi.) ^ ^ nj. (31) 

By Lemma [3] 

/(17^;Af) = rank(A/,,B/J - rank(S/J 
= Uj — Tank{Bj.). 

If the constraint ( fT9] l holds, then 

I(Yjr,M) < n X Q = C-. 
Hence Bj. should satisfy that 

Tij — rank(i3/J < c-. 

Namely, 

rank(B/J > ^ rij - c-, for all 1 < i < d. (32) 
For J2 "^j' tiy condition ( |29] l, since 



we obtain that 



rij <nK + c'i, 



(33) 



Tij - c- < n/f = col(i3/J. 
By (EB, 

^ -c[ = row( A/, , S/J - c- 

= row(S/, ) - c- < row(BjJ. (34) 

In summary, by (l32l)-(l34l). it is required to construct 6j's 
such that 

rank(S/J > ^ rij - c-, l<i<d, (35) 



where 



nj - c ■ < col(i3/J = n^; 
^ nj - c- < row(B/J = ^ 



For ( l35l ). it suffices to construct 6i's such that for aU i, 

l<i<d, 

rank(i3/.) = min{row(_B/J, col(i?/J} 

= min{ nj^riK}. (36) 

Next, we construct fo^'s by mathematical induction. 



Initially, for 1 < i < uk, h = (0, 0, 0, 1, 0, 0). Let 



v ) 



M 
K 



where Xi, 's are the symbols sent in li with 1 < i; < j. 
Thus, y/ is a sub-vector of Yj. up to index j and so are 
A'j, and B^^. When j = um + riK, = Yj., A^j, = 
Aj. and = Bj.. Since B^j'"^ is a sub-matrix of the 
riK X Uk identity matrix InKxriK^ 

rank(B;;^) = row(B7^^), 

which means inequality ( [36b holds. 

Suppose that when k = I > uk, {hi \ < i < 1} have 

been constructed successfully. Thus for alH, 1 < i < d, 

) = min{row(B|.),col(B|.)} 
< min{ nj,nK}- 

For 6;+!, it is required that for all wiretap set li (1 < 
i < d) accesses xi+i, if rank(i3j.) < min{ ^ 7i,i,rtif}, 

then 

rank(B}+^) = rank(B}j 



1, 



where i?}'^^ and B\, satisfy 



B\+' = 



bi+i 



The existence of can be guaranteed by Lemma |4] 
Hence has been constructed successfully. In the 

above proof, by Lemma IH (7 > |^| = d is sufficient 
for the existence of fe^'s. 

By mathematical induction, we complete the proof. 

Hence, bi's are successfully constructed, which completes the 
proof. ■ 

IV. Conclusion 

In this paper, we have proved a tight rate region of the 
rate tuples in the cooperative imperfect secrecy model by a 
linear program, in which the key idea is from the imperfect 
secrecy theorem. The result can be treated as a bound from 
a cut-set if network coding is allowed in a general wiretap 
network. Although for a general case, the rate region of rate 
tuples is still open, our result has paved the way for the further 
discussion on this problem. 
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